Nation-State Actors Unleash Stealthy, LuaJIT-Based MalwareUnknown Hackers Target Telecoms in Middle East, Europe, Asia With Novel Backdoor
SentinelOne security researchers have observed suspected cyberespionage actors of unknown origin using modular backdoors and highly stealthy tactics in August to target telecommunication companies in the Middle East, Western Europe and South Asia.
The group, tracked as Sandman, is using a novel backdoor called LuaJIT, a just-in-time compiler for the Lua programming language that makes malicious Lua script code difficult to detect, SentinelOne found.
Dubbed LuaDream by SentinelOne, this novel backdoor loads a malicious
ualapi.dll file to the infected computer through the Fax and Windows Spooler services, but rather than immediately executing and risking detection, the malware waits for the victim to perform a system boot.
"LuaDream stands as a compelling illustration of the continuous innovation and advancement efforts that cyber espionage threat actors pour into their ever-evolving malware arsenal," said SentinelOne senior threat researcher Aleksandar Milenkoski in a blog post. Researchers did not find any artifacts or IP address that could link the activity with a known cyber actor.
SentinelOne researchers said an analysis of timestamps showed the development of the malware began in 2022, with the possible participation of a private contractor or mercenary group, as it is rare for threat actors to use the LuaJIT compiler to distribute malware.
Telecom companies have been under fire from nation-state attackers, most likely in an effort to steal data related to call and location information. SentinelOne in March attributed a flurry of cyberattacks aimed at telecommunication providers in the Middle East to Chinese state-sponsored groups Gallium and APT41. The attackers infiltrated internet-facing Microsoft Exchange servers to deploy web shells and conduct lateral movement, reconnaissance, credential theft and data exfiltration.
The Sandman campaign, which took place over several weeks in August, employed DLL hijacking to plant the malicious
ualapi.dll file that masqueraded as a legitimate file with the same name.
DLL hijacking enables hackers to access infected computers by planting malicious DLL files within the search parameters of applications. When the application loads, it activates the malicious DLL, giving hackers the opportunity to perform malicious operations. In this case, the malicious DLL file could be activated by the Fax or Windows Spooler service when started.
Threat actors also used the "pass the hash" technique over the NTLM authentication protocol to target specific workstations connected to the same network. "On one of the targets, all of the workstations were assigned to personnel in managerial positions," Milenkoski said.